In a network, if communication is performed between a host and another host, various processes will be performed in these terminal hosts, such as servers, client terminals, for example, and a communication relay apparatus, such as a router or firewall, for example, located midway between them. Each processing load will vary respectively with the total amount of traffic to be processed, and the complexity of the processing itself. Therefore, some processes will heavily load the system and may create a bottleneck affecting the communication performance between terminal hosts.
In one load balancing relay technique, this is avoided or mitigated by providing plural apparatuses that perform the same processes, and distributing the communications traffic to those apparatuses.
The load balancing relay technique, depending on the application, may be terminal host, such as a server, load balancing or communication relay apparatus load balancing, such as a firewall. The first technique of terminal host load balancing is a method using a load balancer (load balance relay apparatus), or a method using a DNS (Domain Name System) server. The second technique of communication relay apparatus load balancing is a method of using a load balancer such as that used for terminal hosts, or a method of using an autonomous load balancing function of the apparatus that performs a load balancing process.
When traffic arrives from a certain interface, this load balancer has a function to select one of the plural apparatuses that use a predetermined algorithm and perform a load balancing process, and relay traffic to that apparatus. This predetermined algorithm (load balance algorithm) may calculate a hash value based on header information such as the sender's IP (Internet Protocol) address or destination IP address to determine the relay apparatus, the algorithm may determine the relay apparatus by a round robin algorithm, or the algorithm may take the relay apparatus with the lightest load (or which has the least number of hosts or number of flows) as the load balancing target apparatus.
In load balancing for terminal hosts using a load balancer, the load balancing target apparatus (in this example, a terminal host such as a server) is located at a communications traffic terminal. Therefore, the load balancer is situated only on the route between load balancing target apparatuses and terminal hosts which communicate with them. Only the communications traffic from the terminal host to the load balancing target apparatus is subjected to a load balancing relay process. On the other hand, the communications traffic from the load balancing target apparatus to the terminal host is merely relayed to the interface to the latter terminal host. Therefore, the load balancing algorithm used by the load balancer may be a hash, round-robin, load of the load balancing target apparatus or the number of assignment flows.
In general, in the load balancing target apparatus in terminal host-oriented load balancing, server software of a specific application is operating. If this application is accompanied by user authentication, the load-balancing target apparatus will grasp the correspondence between communications traffic and client user data. In addition, the load balancing target apparatus and load balancer are often managed and operated by the same administrator. For this reason, a service that is different for each user can also be applied using a special load balancer (for example, JP-A No. 152783/2003, referred herein as Patent document 1). Patent document 1 describes a load balancer that can provide a different service for every user by determining the priority corresponding to a SSL (Secure Socket Layer) session identifier, and transmitted to the load balancer.
In the case of load balancing for a communication relay apparatus using a load balancer, the load balancing target apparatus (in this example, a communication relay apparatus such as a firewall) is situated in the middle instead of at the ends of the communications traffic. Therefore, a load balancer is situated on both sides of the load balancing target apparatus, and communications traffic reaching the load balancer on the network side is relayed by the load balancer from one network, such as a network in a company, for example, to one of plural load balancing target apparatuses. The traffic is then relayed to another network, such as the Internet, for example, via the load balancing target apparatus and the other load balancer. The same is true of traffic in the opposite direction.
Many load balancing target apparatuses, in order to correctly perform processing in the apparatus, require that communication between the same terminal hosts passes through the same load balancing target apparatus in the outgoing and incoming directions. Therefore, the load balancers on both sides of the load balancing target apparatus relay communications traffic in the outgoing and incoming directions via the same load balancing target apparatus using one of the following two techniques.
(1) If the combination of the destination IP address and sender IP address is the same, a load balancing algorithm such as hash which can uniquely determine the same relay destination apparatus, is always used.
(2) One load balancer observes the packet which the other load balancer transmitted via the load balancing relay, the combination of the sender and destination IP address and the load balancing target apparatus through which it passed is stored, and if a packet comes in the opposite direction, the relay destination apparatus is determined based on the information.
In the case of load balancing for a communication relay apparatus using the autonomous load balancing function of the load balancing target apparatus, load balancing target apparatuses receive communications traffic, and the apparatus determines whether it should process the traffic. Only the apparatus that determines that it should process the traffic, processes and relays the traffic, and other apparatuses discard the traffic. Each apparatus determines whether it should process the traffic, therefore, as in (1) where a load balancer was used, even if the load balancing algorithm performs the calculation on its own, it is limited to an algorithm (hash, etc.) which always give a meaningful result.
In load balancing for the communication relay apparatus, the load balancer and load balancing target apparatus are situated at the midpoint of the communications traffic. In general, at the midpoint of this communication, the information for obtaining a correspondence between the communications traffic and terminal host user consists of only the IP address. Therefore, it is impossible to perform processing which provides a different service for every user by the load balancer except for the case where a fixed IP address is assigned to the user host, and the administrator of the load balancer knows the assignment.
On the other hand, the ISP (Internet Service Provider) receives an Internet access demand from a user host, and user authentication is performed. In order to provide a connection, an apparatus known as a BAS (Broadband Access Server) is used. The BAS is generally in a position nearest to the user in the layer 3 packet relay apparatus (router) of the ISP (or access-line contractor who provides a circuit between the user and ISP to the ISP). The BAS has a correspondence between the layer 2 session for each user by PPP (Point to Point Protocol) or VLAN (Virtual Local Area Network), or an IP address dynamically assigned to the user by PPP or DHCP (Dynamic Host Configuration Protocol), and information about the user including a user identifier. Hence, although the BAS is an apparatus located at the midpoint between the user host and a server that is on the Internet, it is an apparatus which can make a correspondence between communications traffic and user data. Therefore, it may be considered that by using the BAS, an ISP can provide a different level of service for every user, such as a security service by a firewall, for example.
In this specification, “layer 2” refers to the data link layer of an OSI (Open Systems Interconnection) reference model. “Layer 3” refers to the network layer of an OSI reference model. In the invention, it is assumed that IP (IPv4 or IPv6) is used for the layer 3 protocol.
If it is attempted to provide a secure service to a user using security apparatuses such as a BAS and a firewall, the difference of packet relay performance between the BAS and the security apparatus will pose a problem. For example, at present the relay performance of a BAS even for a low performance model is 1 Gigabit/second, but a highly efficient firewall of the type which can inspect a TCP (Transmission Control Protocol)/UDP (User Datagram Protocol) payload of a packet, even for a high performance model, has an upper limit of about 500 Megabits per second. It may further be expected that due to factors such as improvement in network forwarding performance, improvement in processing performance of terminal hosts and improved attack techniques, at the same time as the relay performance of communication relay apparatuses which do not offer advanced security functions such as BAS or routers improves, advanced security apparatuses such as firewalls will become even more sophisticated. Therefore, the relay performance gap between BAS, routers and security apparatuses may widen in future.
Under such conditions, in order to obtain a security processing performance of a degree in which a security service can be provided for most users under a BAS, load balancing of the security apparatus is effective.
However, in load balancing using prior art technology, it is necessary to provide a load balancer separate from the BAS or load balancing target apparatus (security apparatus), or the load balancing target apparatus needs to have an autonomous load balancing function. In the former method, financial cost may increase and packet forwarding performance may suffer due to the introduction of the load balancer. Moreover, in the case of (1) above, the load balancing algorithm is limited to hash or the like, so the load balancing performance desired by an administrator may not be obtained. In the case of (2) above, the load balancer on the other side needs to supervise the packet which passed through one load balancer, so packet forwarding performance may further decrease. Regarding the latter autonomous load balancing function, a load balancing target apparatus with this function would be expensive and the load balancing algorithm would be limited as in the case of (1).
In general, an IP address is dynamically assigned to a user host under the BAS, and neither the usual load balancer nor the load balancing target apparatus with an autonomous load balancing function has a means to acquire user data from other servers dynamically. Therefore, these apparatuses cannot determine a distribution destination based on user data, and a different service for every user cannot be provided.
Therefore there is a need to perform load balancing of a communication relay apparatus such as a firewall at the position of a BAS, to provide a load balancing relay method which is low cost, offers high forwarding performance and uses an arbitrary load balancing algorithm, and to provide a BAS/load balancer compatible therewith. There is further a need to provide a load balancing relay method which can apply different load balancing relay processing for every user where the BAS assigns a user host layer 2 session and an IP address dynamically, and a BAS/load balancer compatible therewith.